EFS mixed clients and shared folders

  • Thread starter Thread starter James Fabulous
  • Start date Start date
J

James Fabulous

I've done a good deal of reading today that has bolstered my understanding
of EFS and its uses and limitations. However a couple of questions are
still apparent when I use this knowledge.

Scenario:
FolderA is shared as FolderA with Domain Admins having Full Control both
Sharing and NTFS security
FolderB is under FolderA and has the same permissions for NTFS
FolderB (and susequent contents an excel spreadsheet) were encrypted by
UserA (a domain admin) on the server (Win2K3) using the GUI.

UserA's works from a Win2K SP4 workstation and visits FolderA via the
network share and browses into FolderB. Double clicks the spreadsheet to
open the file which executes Excel and produces the error "Cannot access
read-only file FileA.xls" promptly followed by "Cannot access FileA".

Is there a reason that an EFS encrypted file would not work under this
scenario? How do I resolve this?

In addition to the issue above even when using the details tab (apparent on
the Win2K3 server but not available on Win2K clients like UserA's
workstation) UserA adds certificates of another domain admin UserB. UserB
has an XPSP2 workstation but gets the same error when attempting to open the
file in the same fashion as stated above.

According to what I've read there should be no issue with that either - Any
ideas?

*SideNote - an EFS RA has been established and certificates exported to
offsite locations. When viewing the EFS properties for the file via the
Win2K3 server and the XP client the information shown is correct.
 
One thing to check is that the server is trusted for delegation in it's
computer account in Active Directory users and computers. See the link below
that covers using EFS on a server share and I would also first try something
simpler like a notepad file. I am not an expert in Office but I know that it
can generate and use temporary files which adds more complexity to a
configuration. Also have a user try to access the share remotely to see if
they can encrypt a file and then decrypt it. What will happen is the first
time a user does this is a "mini" user profile will be built for the user on
the server with the share that will contain the users certificate and EFS
private key that will also be generated for the user. Try a user that has
never logged onto the server interactively. Note that if a user copies a
file from the server share to his computer to an EFS folder on his computer
the file is decrypted on the server, goes over the network in clear text,
and then is encrypted again on his computer and if the user does not have
the same EFS certificate/private key on his workstation a different EFS
certificate/private key is used. The efsinfo utility is useful in
determining what users and Recovery Agents can access an EFS file and can
also display the thumbprint of the certificates which can be compared to the
EFS certificates that exist for a user or RA on a computer. --- Steve

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prnb_efs_umpb.asp
OR
http://tinyurl.com/c4ded
http://support.microsoft.com/default.aspx?scid=kb;en-us;243026&sd=tech --
efsinfo details.
 
Back
Top